Firewall on Demand
Introduction
GEANT Information & Infrastructure Security Team
Evangelos Spatharas
Security Engineer
SA3-T1 Meeting
Vienna March 7th 2016
Networks ∙ Services ∙ People
www.geant.org
INDEX
DDoS seen by GÉANT
FoD Tutorial
What Firewall on Demand is
Why Flowspec?
Why Firewall on Demand?
How to subscribe
Future plans
Networks ∙ Services ∙ People
www.geant.org
Who Sees DDoS Attacks?
Peering Type
Breakdown
DDoS Attacks Detected
No of Attacks per Month
6000
5000
7%
35% 58%
4000
3000
4,862
2000
1000
0
4,723
NRENs
Interconnects
GÉANT
4,184
4,116
1,877
81
183
641
509
143
April 2015 - October 2015
Networks ∙ Services ∙ People
www.geant.org
3
DDoS – Ramifications
36 Gb/s
• Network
•
•
•
Performance degradation
Services malfunction
Outages
• Staff & Company
•
•
•
•
Productivity reduction
Wasted resources
Reputation
Profit reduction
• Clients
•
•
Dissatisfaction
Change upstream?
Networks ∙ Services ∙ People
www.geant.org
How to Deal with DDoS?
• Firewall filter deployment
• Manual ACLs
 Time Consuming
 Prone to mistakes
 Highly effective
• RTBH
 Fast
 Too coarse
• BGP FlowSpec
 Fast
 Highly effective
• DDoS Scrubbing
• Highly effective (if setup correctly)
• Very expensive
Networks ∙ Services ∙ People
www.geant.org
5
From RFC to a WEB based tool
fod.geant.net
• New school rules – Forget CLI and JunOS language
Developed and designed by
Networks ∙ Services ∙ People
www.geant.org
What Firewall on Demand is
• Firewall on Demand, abbreviated as FoD, is an application with a WEB front which allows subscribed
users to disseminate firewall filters easily without any hassle.
• The traits that make it unique are multifold:
• Convenience - NREN users can use web portal themselves, or make request by phone or e-mail.
• Simplicity - The web portal uses intuitive, non-vendor specific GUI-based wizard to configure router firewall
filters.
• The magic of FoD is powered on by the cutting edge flowspec technology as described by the RFC
5575.
*NOC/CERT users can still contact GEANT CERT using the traditional methods to request blocking
Networks ∙ Services ∙ People
www.geant.org
7
Why Flowspec?
Speed
Effectiveness
Efficiency
Networks ∙ Services ∙ People
www.geant.org
8
Why Firewall on Demand?
• Value add tool part of the NSHaRP service
• Easier audit of flowspec filters
• Easier removal (auto-expire)
• Cleaner traditional filters without "temp" terms that pile up with time
• Reporting (to be supported)
•
•
•
• What? You want more?
Networks ∙ Services ∙ People
www.geant.org
9
What you CAN do with FoD
•
Propagate flowspec filters across GÉANT network
•
Filters CAN have DST address from YOUR administrative IP space
•
Submit as many filters as you want (TBC)
•
Have an e-mail sent to yourself or ticketing system for tracking after rule submission/edit/withdrawn
•
See all rules submitted by you or your colleagues by state (active/deactivated) from past to the most current
Networks ∙ Services ∙ People
www.geant.org
What you CANNOT do with FoD
•
Propagate IPv6 filters (TBC)
•
Propagate a filter with a DST subnet bigger than /29
•
Access FoD platform from an IP space other than your NOC’s/GEANT network’s space
Networks ∙ Services ∙ People
www.geant.org
Eligibility and How to Subscribe and Access
All GÉANT member NRENs may subscribe. The subscription process is as follows:
1. NREN APM fills out the FoD application form (MS Excel based) – NREN authorized users (by e-mail address); NOC subnet (for
white-listing); NREN’s AS number or AS-set.
2. NREN APM sends completed form to GÉANT security team ([email protected]) and info is entered into FoD
3. Authorised NREN user, using host in NOC subnet, accesses https://fod.geant.net and clicks at the “Shibboleth Login” button on
the top right. Login in using standard eduGAIN method
4. New user’s account will be activated within 1 business day (assuming login details match info provided by APM)
Networks ∙ Services ∙ People
www.geant.org
12
Shibboleth Attributes
FoD’s Shibboleth module requires the release of the following attributes:
•
•
•
•
•
•
givenName
mail
persistent-id
principalName
Surname (family name)
uniqueID
Networks ∙ Services ∙ People
www.geant.org
13
How to Use FoD
After your account is activated for which you’ll be notified by e-mail, you are ready to start Firewall-ing
on Demand. The process is as simple as follows:
• Re-visit the https://fod.geant.net page and click on the “Shibboleth Login” button
• After supplying with your credentials you’ll have access to 5 main tabs:
1.
2.
3.
4.
5.
Dashboard
Rules
Add Rule
My Profile
Admin
Networks ∙ Services ∙ People
www.geant.org
14
How to Use FoD - Dashboard
Dashboard page displays the latest 10 rules that have been submitted for your Institution along with
their current status. Deactivated ones can be re-activated and vice versa.
Networks ∙ Services ∙ People
www.geant.org
15
How to Use FoD - Rules
Rules page displays ALL (not just the latest 10) the rules that have been submitted for your Institution,
sorted by status. From here, you can reactivate or deactivate rules, or even edit them.
What is more, one can use the search box to look for particular rules and process them further.
Networks ∙ Services ∙ People
www.geant.org
16
How to Use FoD – Add Rule
Add rule page is the place where you navigate when you first see an attack. To add a rule requires to
populate all the necessary fields which are the following:
• Name
• Source Address
• Destination Address
• Then Actions
Note: It is recommended that the rule’s name is of the following format:
<NREN/Peering/IC>_<TYPE_OF_ATTACK>_<ACTION>_<DATE>
This will aid you in the future when searching for a rule.
Networks ∙ Services ∙ People
www.geant.org
17
How to Use FoD – My Profile
My profile page displays information that has to do with your subscription such as your administrative
networks and name, your username and e-mail.
Networks ∙ Services ∙ People
www.geant.org
18
Under the hood – Current Status
IX A
GÈANT
Internet
NREN A
Flowspec
FoD
IX B
NSHaRP
Networks ∙ Services ∙ People
www.geant.org
19
Upgrade – Future Plans
IX A
GÈANT
Internet
NREN A
Flowspec
FoD
IX B
NSHaRP &
RepShield
Networks ∙ Services ∙ People
www.geant.org
20
FoD Roadmap
Sept. 2014
June 2013
Flowspec testing on
GÉANT backbone
Febr. 2015
Aug. 2015
FoD test system
installation (RHEL)
FoD test system
installation (Debian)
Networks ∙ Services ∙ People
www.geant.org
Aug. 2015
Jan. 2016
FoD pilot
Resolving FoD
issues on RHEL
Febr. 2016
Pentest & secure
code review
FoD going live
21
How to Contact us
In case you have any issues or queries in relation to FoD, please contact GÉANT Infrastructure & Security
team at [email protected]
Networks ∙ Services ∙ People
www.geant.org
22
Thank you
GEANT OPS Security Team
[email protected]
Networks ∙ Services ∙ People
www.geant.org
Networks ∙ Services ∙ People
www.geant.org
23